Incorrect DAG generation result caused by index overflow

Lines of code Vulnerability details Incorrect DAG generation result caused by index overflow We recently found that the optimism@382d38b repository has a flaw in DAG generation for ethhash mining, which will cause miners to erroneously calculate PoW in an upcoming epoch. Specifically, if the DAG...

4 issues in the L2CrossDomainMessenger.relayMessage() function. Described one after other.

Lines of code Vulnerability details Impact 1. Loss of funds. 2. Unpermitted function calls. Proof of Concept 1. The function proceeds only if successfulMessagesxDomainCalldataHash is false require successfulMessagesxDomainCalldataHash == false, "Provided message has already been received." ; but...

Chain split caused by memory corruption in EVM

Lines of code Vulnerability details Chain split caused by memory corruption in EVM We recently found that the op-geth@3fa9e81 repository has a memory corruption vulnerability in EVM, which can cause a consensus error. Specifically, vulnerable nodes obtain a different stateRoot when processing a...

Attacker can frontrun user bid with wrong lotId and create the lot with that lotId, forcing the user to take a big loss

Lines of code Vulnerability details Impact User takes a huge loss by getting 1 SD token, but bidding an amount possibly much bigger. Attackers are incetivized to perform this if they are ETHx holders and want to increase the value of their tokens. Proof of Concept When a user adds a bid to the...

Attacker can spam addCredit() function to cause a denial-of-service during an auction

Lines of code Vulnerability details The ParticleExchange contract does not store any data about the lien in the contract storage. Instead, users must send the entire Lien struct when interacting with any existing lien, and the contract checks if the hash of the struct is correct. This poses a...

_execBuyNftFromMarket() Need to determine if NFT can't already be in the contract

Lines of code Vulnerability details Impact Use other Lien's NFTs for repayment Proof of Concept execBuyNftFromMarket Whether the NFT is in the current contract after buy, to represent the successful buy of NFT function execBuyNftFromMarket address collection, uint256 tokenId, uint256 amount,...

Particle Exchange can be used to swap NFTs within the collection for free

Lines of code Vulnerability details Particle Exchange can be used to swap NFTs within the collection for free Impact In Particle, a borrower can take an NFT as a loan and close it using another NTF within the same collection. This is present in the different functions that can be used to repay a...

Changing _treasuryRate can cause lender to lose some interest that it is entitled to

Lines of code Vulnerability details Impact Calling the following ParticleExchange.buyNftFromMarket, ParticleExchange.repayWithNft, ParticleExchange.refinanceLoan, and ParticleExchange.auctionBuyNft functions accrue interestAccrued for the corresponding lender. When calling these functions, the...

Wrong assumption that NFT is not in contract when loan is active

Lines of code Vulnerability details Impact The lender might lose or be robbed of his supplied NFT. Proof of Concept A lender can withdraw the NFT in his lien if it is not currently on loan by calling withdrawNftWithInterest. This is checked by relying on IRC721.safeTransferFrom to revert if the N...

addCredit() DOS Attack

Lines of code Vulnerability details Impact DOS Attack Proof of Concept addCredit can be called by anyone, and the msg.value is as small as 1 wei. Users can modify Lien at a small cost, causing the value stored in lienslienId=keccak256abi.encodelien to change By front-run, the normal user's...

Treasury fee not applied in withdrawEthWithInterest()

Lines of code Vulnerability details Impact In the Particle protocol, a portion of the lender's interest is kept by the treasury as described in the docs, and is also implemented in the withdrawAccountInterest function. However, in the withdrawEthWithInterest function, the lender receives the enti...

Lender can auction the loan without any restriction to cause losses to the borrower

Lines of code Vulnerability details Lender can auction the loan without any restriction to cause losses to the borrower Impact The lender can unilaterally decide to auction a loan at any time, without any restriction. The process can be started by calling startLoanAuction and offers to repay the...

Treasury fee is not collected in withdrawEthWithInterest()

Lines of code Vulnerability details Treasury fee is not collected in withdrawEthWithInterest The withdrawEthWithInterest function fails to collect treasury fees from the lender interests. Impact The Particle exchange collects treasury fees from the lender's interests. These interests are...

Function _execBuyNftFromMarket() Fails to Check the Actual ETH Balance in the Contract After Executing the Trade

Lines of code Vulnerability details Impact In the function execBuyNftFromMarket, if the user chooses to use WETH, the function deposits ETH and approves the amount of WETH to the marketplace. After executing the trade at the marketplace, the function checks that the balance decrease is correct in...

New treasury rate should not affect existing loan

Lines of code Vulnerability details Impact In the protocol, lenders have to pay a small treasury fee when they claim their interest. The contract owner can change this treasuryRate at any time using the function setTreasuryRate. // @audit treasury rate should not affect existing loan function...

Borrower can block being defaulted or auctioned

Lines of code Vulnerability details Borrower can block being defaulted or auctioned The borrower can potentially block the liquidation and auction processed by using a contract and reverting on ETH transfers. Impact When a loan is being liquidated or auctioned, any credit still available to the...

auctionBuyNft() borrower can block the bidding

Lines of code Vulnerability details Impact borrower can block the bidding Proof of Concept auctionBuyNft When the bid is successful and there is an extra amount, it will be refunded to borrower The code is as follows: function auctionBuyNft Lien calldata lien, uint256 lienId, uint256 tokenId,...

Marketplace may call onERC721Received() and create a lien during buyNftFromMarket(), creating divergence

Lines of code Vulnerability details Impact The contract supports a "push-based" NFT supply, where the price and rate are embedded in the data bytes. This way, the lender doesn't need to additionally approve the NFT but can just transfer it directly to the contract. However, since the contract als...

Lender can prevent borrower from returning NFT

Lines of code Vulnerability details Impact The lender can prevent the borrower of his NFT from returning it, forcing him to pay interest for longer. Proof of Concept The borrower returns the NFT owed by calling repayWithNftlien, lienId, tokenId. This will then validateLienlien, lienId which check...

DoS of liquidation

Lines of code Vulnerability details Impact The lender can be prevented from liquidating the borrower, at negligible cost to the borrower. Proof of Concept When the borrower is insolvent the lender can liquidate him by withdrawEthWithInterestlien, lienId. The parameters are verified by the modifie...

Lender can front-run calls to auctionBuyNft() to DoS auctions

Lines of code Vulnerability details Lender can front-run calls to auctionBuyNft to DoS auctions Lenders can DoS auction offers by resetting the auction process. Impact The Particle protocol allows lenders to auction their loans in case any interested party wants to repay the NFT of the loan. The...

Wrong assumption in function withdrawNftWithInterest() could allow lender to withdraw NFT from active loan

Lines of code Vulnerability details Impact In the withdrawNftWithInterest function, the lender can withdraw an NFT back if the NFT is currently in the contract without an active loan. However, the function makes an incorrect assumption that if the NFT can be withdrawn, then the loan is not active...

Lenders can lose interest

Lines of code Vulnerability details Impact The protocol can steal all interest accrued to lenders, and cannot guarantee that the lenders will receive their due interest. Proof of Concept treasuryRate determines the proportion of the interest paid to the protocol whenever interest is paid, which...

addCredit() impacts the price curve of loan auctions

Lines of code Vulnerability details Impact The price curve of a loan auction is supposed to depend only on block.timestamp, meaning that the price increases as time goes on. However, the addCredit function allows anyone to change or increase the value of lien.credit. If lien.credit is increased,...

_execSellNftToMarket() re-enter steal funds

Lines of code Vulnerability details Impact re-enter steal funds Proof of Concept execSellNftToMarket The number of changes in the balance to represent whether the corresponding amount has been received function execSellNftToMarket address collection, uint256 tokenId, uint256 amount, bool pushBase...

Risk of accidental DoS while receiving NFTs from marketplaces

Lines of code Vulnerability details Risk of accidental DoS while receiving NFTs from marketplaces The implementation of onERC721Received can lead to an accidental denial of service. Impact The Particle protocol supports creating liens by pushing the NFT instead of the usual pull approach. This is...

Attacker can use buyNftFromMarket() to buy an NFT from an arbitrary collection

Lines of code Vulnerability details Impact The function buyNftFromMarket allows a borrower to buy an NFT from the same collection to repay a loan. At the end of the function flow, it checks that the contract actually holds the NFT tokenId and assumes that it is the acquired NFT. However, this is...

ParticleExchange.auctionBuyNft and ParticleExchange.withdrawEthWithInterest function calls can be DOS'ed

Lines of code Vulnerability details Impact When lien.borrower is a contract, its receive function can be coded to conditionally revert based on a state boolean variable controlled by lien.borrower's owner. As long as payback 0 is true, lien.borrower's receive function would be called when calling...

newLien.lender can steal NFT that should belong to oldLien.lender after refinancing

Lines of code Vulnerability details Impact After calling the following ParticleExchange.refinanceLoan function, collection are the same and tokenId become newLien.tokenId for both the old and new liens. function refinanceLoan Lien calldata oldLien, uint256 oldLienId, Lien calldata newLien, uint25...

Unspent WETH is not considered in buyNftFromMarket()

Lines of code Vulnerability details Unspent WETH is not considered in buyNftFromMarket Impact In the buyNftFromMarket function, the borrower buys an NFT in order to repay and close their loan. The purchase is executed in the internal function named execBuyNftFromMarket. 395: function...

Borrower cannot stop loss when fungibility breaks

Lines of code Vulnerability details Impact When the borrower cannot repay with NFT he will be forced to forsake his entire credit. This situation can be deliberately instigated by the lender. Proof of Concept A borrower can only leave his position by returning an NFT buyNftFromMarket or...

withdrawNftWithInterest() possible take away other Lien's NFT

Lines of code Vulnerability details Impact Possible take away other Lien's NFT Proof of Concept withdrawNftWithInterest Used to retrieve NFT The only current restriction is that if you can transfer out of NFT, it means an inactive loan function withdrawNftWithInterestLien calldata lien, uint256...

DoS of auctionBuyNft()

Lines of code Vulnerability details Impact An auction can be forced to conclude, which is typically to the benefit of the lender. Proof of Concept auctionBuyNftlien, lienId, tokenId, amount validates the lien in question by validateLienlien, lienId which checks that the lien is hashed to the same...

Calling ParticleExchange.sellNftToMarket, ParticleExchange.swapWithEth, and ParticleExchange.refinanceLoan functions can allow insolvent positions to be opened

Lines of code Vulnerability details Impact When calling the following ParticleExchange.sellNftToMarket function, it is possible to input amount and msg.value, which can sum up to lien.price and make credit equal 0. Although credit of lienslienId is 0 in this case, calling the...

Supplying NFT, which is borrowed from Particle Exchange, to Particle Exchange can cause original lien's borrower to lose such NFT and previously sent msg.value even though its position for original lien is not yet insolvent

Lines of code Vulnerability details Impact After a borrower calls the following ParticleExchange.swapWithEth function, the borrower receives the corresponding NFT. function swapWithEthLien calldata lien, uint256 lienId external payable override validateLienlien, lienId ... /// @dev cannot instant...

Borrowers can still close loan normally while being defaulted

Lines of code Vulnerability details Borrowers can still close loan normally while being defaulted A borrower can repay a loan normally while having outstanding debt and close it causing losses to the lender. Impact Loans in the Particle protocol are subject to an interest rate defined by the...

Calling ParticleExchange.withdrawEthWithInterest function causes _treasury to lose portion of payableInterest that it is entitled to

Lines of code Vulnerability details Impact When lien.lender calls the following ParticleExchange.withdrawEthWithInterest function, uint256 payableInterest = calculateCurrentPayableInterestlien is executed. Calling the ParticleExchange.calculateCurrentPayableInterest function below does not accrue...

Upgraded Q -> 2 from #308 [1685704892606]

Judge has assessed an item in Issue 308 as 2 risk. The relevant finding follows: L-04 MINNONZEROTOTALSHARES of 1e9 could lead to stuck funds for underlying tokens with lower decimals in the future StrategyBase.solL28 uint96 internal constant MINNONZEROTOTALSHARES = 1e9; In the future, to support...

Borrowing without paying interest

Lines of code Vulnerability details Impact A lender can be prevented from withdrawing from his lien, without having to pay him interest. Only a few negligible wei have to be paid for technical reasons. This enables the trader to open a risk free position. Long: The trader swaps the NFT in the lie...

Borrower can reject receiving ETH thus prevent lender from calling withdrawEthWithInterest()

Lines of code Vulnerability details Impact The withdrawEthWithInterest function transfers ETH with interest back to the lender in case the loan is insolvent or the auction has concluded. It also transfers PnL to the borrower. However, if the borrower is a smart contract and rejects receiving ETH,...

Upgraded Q -> 2 from #454 [1685704791672]

Judge has assessed an item in Issue 454 as 2 risk. The relevant finding follows: L-1 StrategyBaseMINNONZEROTOTALSHARES constant doesn't support tokens with 1e6 decimals The minimal value will be too high for tokens with 1e6 decimals USDT, USDC. 28: uint96 internal constant MINNONZEROTOTALSHARES =...

NFT withdrawal grief

Lines of code Vulnerability details Impact A lienee whose NFT is not currently on loan may be prevented from withdrawing it. Proof of Concept A lienee who wishes to withdraw his NFT calls withdrawNftWithInterest which tries to IERC721.safeTransferFrom the NFT, which therefore reverts if the NFT i...

If no funds are deposited at the beginning, L1-L2 cannot be transferred out

Lines of code Vulnerability details Impact If user transfer tokenA-tokenB from L1 to L2, and the L2 depositstokenBtokenA is zero at the beginning.It will cause user lossing his funds. Proof of Concept First, user transfer TokenA, and it will send Message to L2 and L2 will call finalizeBridgeERC20...

_initiateBridgeERC20() does not check if _remoteToken is valid. When the message send to L2, it will cause user lossing funds in L1

Lines of code Vulnerability details Impact initiateBridgeERC20 does not check if remoteToken is valid. When the message send to L2, it will cause user lossing funds in L1 Proof of Concept As we can see, theinitiateBridgeERC20 just check isOptimismMintableERC20localToken,if valid ,it will call...

rwar

Lines of code L1 Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps Assess...

teteat

Lines of code L1 Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps Assess...

NOT CONFIRMED

Lines of code L1 Vulnerability details MITIGATED Assessed type Under/Overflow --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 2 from #11 [1685528541946]

Judge has assessed an item in Issue 11 as 2 risk. The relevant finding follows: L-01 DOS: Users can't call accept if others called rageQuit within the same block. --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 2 from #11 [1685528549173]

Judge has assessed an item in Issue 11 as 2 risk. The relevant finding follows: L-02 A reentrancy attack is possible in rageQuit by hosts --- The text was updated successfully, but these errors were encountered: All reactions...

Upgraded Q -> 2 from #20 [1685526689823]

Judge has assessed an item in Issue 20 as 2 risk. The relevant finding follows: L-2 Rage quit forfeits pending claims in TokenDistributor --- The text was updated successfully, but these errors were encountered: All reactions...